Critical Ivanti RCE flaw with public exploit now used in attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability, CVE-2024-29824, to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation. This vulnerability affects Ivanti Endpoint Manager (EPM) and was patched in May 2024. With a CVSS score of 9.6, it is categorized as a highly severe threat.
The flaw is a SQL Injection vulnerability in the Core server of Ivanti EPM versions 2022 SU5 and earlier. It allows an unauthenticated attacker who is within the same network to execute arbitrary code. SQL Injection vulnerabilities can be particularly dangerous as they permit attackers to manipulate databases, execute malicious commands, and potentially take control of the affected systems.
Organizations using Ivanti EPM are advised to apply the patch released by the vendor in May 2024 to mitigate the risk of exploitation.
Ivanti initially addressed CVE-2024-29824, along with five other remote code execution vulnerabilities, in security updates released in May 2024 for Ivanti Endpoint Manager (EPM) 2022 SU5 and earlier versions. Despite these updates, the vulnerability has since been actively exploited, prompting heightened warnings.
In June 2024, security researchers from Horizon3.ai conducted a deep analysis of the vulnerability and published a proof-of-concept (PoC) exploit on GitHub. This PoC allows attackers to blindly execute commands on unpatched Ivanti EPM appliances. The researchers recommended that administrators check MS SQL logs for evidence of xp_cmdshell being used, a key indicator of potential exploitation, as this stored procedure can be leveraged to execute system-level commands via SQL Injection.
As of today, Ivanti has updated its security advisory, confirming that CVE-2024-29824 is being actively exploited in real-world attacks. Organizations using Ivanti EPM should prioritize patching and reviewing their systems for signs of compromise to prevent further breaches.
IMPACT
- Remote Code Execution (RCE):
- Attackers can execute arbitrary commands on the vulnerable system, leading to a full compromise of the affected EPM server. This could allow them to install malware, exfiltrate sensitive data, or disrupt critical services.
- Network Compromise:
- Because Ivanti EPM manages a wide range of client devices across different platforms (Windows, macOS, Chrome OS, IoT), a compromised EPM server could serve as a launchpad for further attacks within the organization’s network, potentially allowing the attacker to pivot to other systems.
- Data Breach:
- Sensitive data stored or managed by the Ivanti EPM server, including configuration files, credentials, and managed device data, could be stolen or tampered with.
- Disruption of Operations:
- Since EPM is critical for managing endpoint security, patching, and software deployment, an attack could disrupt the management and security of devices across the organization, leading to downtime and operational delays.
- Increased Vulnerability to Future Attacks:
- Attackers could implant backdoors or persistence mechanisms during an exploitation attempt, which could allow them to re-enter the system even after partial remediation, increasing the long-term risk to the organization.
- Regulatory and Compliance Issues:
- For organizations in regulated industries, such as healthcare, finance, or government, a breach could result in violations of data protection laws (e.g., GDPR, HIPAA), potentially leading to legal action, fines, and reputational damage.
Technical Details
Technical Details of CVE-2024-29824
- CVE ID:
CVE-2024-29824 - CVSS (Common Vulnerability Scoring System) Score:
9.6/10 (Critical severity)- This high CVSS score reflects the severity of the vulnerability, indicating that it is easily exploitable, has a significant impact on confidentiality, integrity, and availability, and requires urgent attention.
- Vulnerability Type:
SQL Injection- SQL Injection is a type of vulnerability where an attacker can insert or manipulate SQL queries in the backend database, allowing them to execute arbitrary SQL commands. In this case, it enables attackers to execute system commands.
- Affected Product:
- Ivanti Endpoint Manager (EPM)
- Versions affected: Ivanti EPM 2022 SU5 and earlier
- Ivanti EPM is an endpoint management solution used to manage devices across multiple platforms, including Windows, macOS, Chrome OS, and IoT.
- Vulnerability Description:
- The vulnerability exists in Ivanti EPM’s Core server, allowing unauthenticated attackers within the same network to exploit the system.
- The flaw allows attackers to perform remote code execution (RCE) by injecting malicious SQL commands that can result in arbitrary code execution. Through this, attackers can compromise the system entirely, leading to unauthorized access or control.
- Exploitation Path:
- Exploiting this vulnerability requires the attacker to be on the same network as the Ivanti EPM server. By exploiting the SQL Injection vulnerability, attackers can execute commands that are processed by the server, leading to remote code execution.
- Proof-of-Concept:
- Researchers from Horizon3.ai published a proof-of-concept (PoC) exploit in June 2024. The PoC can be used to “blindly” execute commands on vulnerable Ivanti EPM appliances. This makes exploitation easier for attackers with network access to vulnerable systems.
- Indicators of Compromise (IoCs):
- Administrators are advised to check their MS SQL logs for suspicious activity, particularly the use of the xp_cmdshell command, which allows attackers to execute shell commands via SQL queries. Evidence of this command being used in logs may indicate exploitation.
- Patch Availability:
- Ivanti released patches for this vulnerability in May 2024. These patches address CVE-2024-29824 and five other remote code execution vulnerabilities that were found in the EPM Core server.
- It is essential for organizations running Ivanti EPM 2022 SU5 or earlier to apply these patches immediately to mitigate the risk of exploitation.
- Vendor Advisory:
- Ivanti has updated its security advisory to confirm active exploitation of CVE-2024-29824 in the wild. Admins are strongly advised to patch vulnerable systems and check for signs of exploitation.
Understanding of CVE-2024-29824
It’s a critical SQL Injection vulnerability affecting Ivanti Endpoint Manager (EPM) 2022 SU5 and earlier versions. Ivanti EPM is a widely used endpoint management solution designed to help administrators manage client devices across multiple platforms like Windows, macOS, Chrome OS, and IoT operating systems.
The vulnerability allows unauthenticated attackers within the same network to exploit a weakness in EPM’s Core server. By injecting malicious SQL commands, an attacker can execute arbitrary code on the vulnerable system, potentially gaining full control over the affected EPM server.
Recommendation
- Immediate Application of Security Patches
- Patch all affected systems: Apply the Ivanti patch released in May 2024 for Ivanti Endpoint Manager (EPM) 2022 SU5 and earlier. This patch addresses the SQL Injection vulnerability and other remote code execution flaws.
- Regularly check for security updates from Ivanti and apply them promptly to avoid exploitation of newly discovered vulnerabilities.
- Conduct Vulnerability Scans and Monitor for Exploitation
- Perform a full vulnerability scan: Use tools like Nessus, Qualys, or OpenVAS to scan Ivanti EPM systems for known vulnerabilities, including CVE-2024-29824.
- Log monitoring: Continuously monitor SQL logs for signs of unusual or unauthorized commands, such as xp_cmdshell usage, which is a clear indicator of potential exploitation.
- Set up alerting mechanisms on logs and other monitoring tools to notify admins of any suspicious activity related to SQL commands or configuration changes.
- Enhance Network Segmentation
- Limit network access: Ensure the Ivanti EPM server is isolated and only accessible by trusted devices or users. Restrict network access using firewalls, ACLs, and VLANs to minimize exposure.
- Block untrusted network connections: Only allow EPM server access to authorized IP addresses and block external, untrusted traffic to minimize the chances of exploitation by remote attackers.
- Disable High-Risk SQL Server Features: Disable xp_cmdshell: As this stored procedure can be used to execute OS-level commands, disable it to reduce the risk of exploitation. Use the following SQL commands to disable it:
sql
EXEC sp_configure ‘show advanced options’, 1;
RECONFIGURE;
EXEC sp_configure ‘xp_cmdshell’, 0;
RECONFIGURE;
- Regularly review and restrict database permissions to follow the principle of least privilege, ensuring that only authorized users and systems have the necessary access.
- Strengthen Database Security
- Enforce least privilege principles: Limit database accounts to only the minimum necessary permissions. Unnecessary accounts or overprivileged accounts increase the risk of exploitation.
- Enable Multi-Factor Authentication (MFA): For database administrators and users with privileged access to the Ivanti EPM system, implement MFA to add an extra layer of security.
- Encrypt database connections: Ensure communication between the Ivanti EPM server and the database is encrypted using SSL/TLS to prevent interception of sensitive information.
- Implement Security Best Practices
- Regular backups: Ensure you have reliable and frequent backups of the Ivanti EPM server and its configuration. In the event of a breach, these backups can help quickly restore the system to a known secure state.
- Audit system configurations: Regularly audit the configuration of your Ivanti EPM server, databases, and network devices to identify and close potential security gaps.
- Penetration testing: Conduct regular penetration testing on the Ivanti EPM system and network infrastructure to uncover potential vulnerabilities before attackers do.
- Security Awareness and Incident Response
- Train staff on identifying vulnerabilities and exploits: Provide cybersecurity training to employees and administrators to help them recognize signs of network compromise, SQL Injection attacks, and proper remediation techniques.
- Incident Response Plan: Ensure that your organization has an up-to-date incident response plan in place to react quickly in the event of a breach. This plan should include procedures for identifying, containing, and remediating vulnerabilities like CVE-2024-29824.
- Use Endpoint Detection and Response (EDR) Tools
- Deploy EDR solutions: Implement EDR tools on your Ivanti EPM server and connected endpoints to detect anomalous activity, command execution attempts, and potential lateral movement by attackers.
- SIEM integration: Integrate the EPM server and other critical infrastructure with a Security Information and Event Management (SIEM) system to correlate events across the network and detect suspicious patterns in real-time.
- Zero Trust Architecture
- Adopt a Zero Trust security model: Treat every user and device as untrusted until proven otherwise, and implement robust authentication and authorization mechanisms for accessing Ivanti EPM and other critical infrastructure.
- Continuously monitor and verify all network traffic and access attempts, ensuring that all traffic is inspected for malicious activity, even if it comes from within the organization’s network.
- Contact Ivanti for Assistance
- Reach out to Ivanti support: If there are any uncertainties about applying the patch or if you suspect exploitation, contact Ivanti’s customer support for help. They can assist with patching guidance, forensic investigations, and more.